1. Technical Field
The present invention relates generally to an improved data processing system and in particular to a method and apparatus for executing instructions in a data processing system. Still more particularly, the present invention relates to a method, apparatus, and computer instructions for processing instructions in a manner to prevent vulnerability to virus and worm attacks.
2. Description of Related Art
The Internet, also referred to as an “internetwork”, is a set of computer networks, possibly dissimilar, joined together by means of gateways that handle data transfer and the conversion of messages from a protocol of the sending network to a protocol used by the receiving network. When capitalized, the term “Internet” refers to the collection of networks and gateways that use the TCP/IP suite of protocols.
The Internet has become a cultural fixture as a source of both information and entertainment. Many businesses are creating Internet sites as an integral part of their marketing efforts, informing consumers of the products or services offered by the business or providing other information seeking to engender brand loyalty. Many federal, state, and local government agencies are also employing Internet sites for informational purposes, particularly agencies which must interact with virtually all segments of society such as the Internal Revenue Service and secretaries of state. Providing informational guides and/or searchable databases of online public records may reduce operating costs. Further, the Internet is becoming increasingly popular as a medium for commercial transactions.
Currently, the most commonly employed method of transferring data over the Internet is to employ the World Wide Web environment, also called simply “the Web”. Other Internet resources exist for transferring information, such as File Transfer Protocol (FTP) and Gopher, but have not achieved the popularity of the Web. In the Web environment, servers and clients effect data transaction using the Hypertext Transfer Protocol (HTTP), a known protocol for handling the transfer of various data files (e.g., text, still graphic images, audio, motion video, etc.). The information in various data files is formatted for presentation to a user by a standard page description language, the Hypertext Markup Language (HTML). In addition to basic presentation formatting, HTML allows developers to specify “links” to other Web resources identified by a Uniform Resource Locator (URL). A URL is a special syntax identifier defining a communications path to specific information. Each logical block of information accessible to a client, called a “page” or a “Web page”, is identified by a URL. The URL provides a universal, consistent method for finding and accessing this information, not necessarily for the user, but mostly for the user's Web “browser”. A browser is a program capable of submitting a request for information identified by an identifier, such as, for example, a URL. A user may enter a domain name through a graphical user interface (GUI) for the browser to access a source of content. The domain name is automatically converted to the Internet Protocol (IP) address by a domain name system (DNS), which is a service that translates the symbolic name entered by the user into an IP address by looking up the domain name in a database.
With this increased connectivity through the Internet, computer systems are experiencing an increasing number of attacks by individuals using increasingly sophisticated methods of attack. As the number of systems connected to insecure networks, both intranet and Internet, the potential for damage increases. The increasing dependence on a single operating system (Microsoft Windows), and a single processor architecture (Intel) for the vast majority of systems has exacerbated this problem and made worldwide attacks possible to infect very large numbers of computer systems.
The currently available solutions include, for example, virus detection software, firewalls, government initiatives, security policies, and evaluation systems. Virus detection software are programs or code that scan data input through network connections and file systems for some 64000+ known viruses, as well as, applying rules based tools to scan for “virus like” programs. Firewalls are used to block network access from sources not specifically allowed.
Extensive initiatives from US Government agencies, such as NSA, NIAP, NIST, and FIPS, are being implemented. NSTISSP No. 11 is a security policy governing acquisition of IT products by the US Government. Further, International community support is present for the Common Criteria (CC) Evaluation of IT systems.
Starting in the early 1980s the US government established initiatives targeted at increasing the security level of computer systems. Early efforts most widely known as the “Orange Book” started with the NSA's “Rainbow Series” were evaluated by other governments and an initiative known as the Common Criteria emerged to develop a set of “common” security standards that would be recognized by governments of member nations. This effort is currently receiving rapidly increasing support from the predominately Western member nations and membership has increased from 7 nations to 13 nations with additional interest being shown by Japan, China, Korea and other Asian nations.
The standard known as the Common Criteria v1.0 was initially released in 1996, is currently at v2.1 (2001), and has widespread acceptance, as well as, ISO recognition. This standard provides comprehensive discussions of security using a hierarchical framework of security concepts and terminology with viewpoints from consumers, developers, and evaluators/certifiers. The standard outlines extensive security methology start in design and follow through to deployment. This standard is a rapidly evolving standard, reacting to the changing demands of international security. An interim update to v2.2 is due in 2003 and a major rewrite of the standard (v3.0) is planned for 2005.
The most influential event in the acceptance of security standards was Directive NSTISSP no. 11 from the chairman of the NSTISSP. In February 2000, it was directed that all IT systems acquired after 1 Jul. 2002 that need information Assurance (IA) be certified by the Common Criteria or the FIPS Cryptomodule Validation Program. This has resulted in many companies selling IT equipment to the US government to start certification programs. Additionally Presidential Decision Directive on Critical Infrastructure Protection (PDD-63) encourages CC certification for the operation of any IT system associated with the operation of critical infrastructures.
These current solutions all have drawbacks. For example, virus detection programs are effective only against known viruses. New viruses are largely undetected as the rules based techniques are almost completely ineffective. The detection of a virus is therefore done after the fact. In this situation, the attack is already underway, prior to the detection and usually has done damage already.
The companies selling virus protection are required to detect a new virus or variant of an old virus, assess the damage potential, develop compatible detection algorithms, notify users, and make updates to the virus protection. This procedure is a time consuming process and can take from a few hours to a week to accomplish.
Users of the virus protection must connect to the Internet to download the new virus protection thereby exposing their computer to attack. The protection must be downloaded, the virus protection program updated, and the system scanned for viruses. The process of scanning the computer can take as much as several hours, further limiting productivity of the work force. Even users of computers not infected can have appreciable loss of use to their computer system. Users of infected systems can suffer loss from a few hours to a few weeks.
Firewalls contain a weakness because they depend on blocking network traffic using IP addresses to perform selection of trusted sources. Attacks delivered through trusted sources such as email and files downloaded via browsers are not affected by firewall protection. Firewalls are also ineffective in preventing attackers scanning for vulnerability such as network ports left open by poor programming practices.
With respect to initiatives, acquisition policies and Common Criteria, these programs contain vulnerabilities. For example, although the widespread acceptance of the Common Criteria was greatly encouraged by NSTISSP no. 11, the cost of the process is very substantial and time consuming. The standard is still evolving and specialized expertise is required to accomplish certification. The results are still relatively unproven and recent attack successes have shown weaknesses in the model, especially the vulnerability analysis. The process of obtaining certification may last from 6 months for low assurance levels to more than 3 years for high assurance levels.
It is well recognized that vulnerability analysis of computer systems striving to prevent attacks can only give a level of assurance that attacks will not succeed. This analysis depends heavily on the concepts of attack potential vs. the strength of security function that has been designed into the system. These measures are passive methods that are in their infancy of definition and are subjective at best, resulting in a security methodology that has been ineffective as recent successful worldwide attacks have proven.
Therefore, it would be advantageous to have an improved method, apparatus, and computer instructions for preventing vulnerability to virus and worm attacks.